In my experience:
1)
PHP / openldap / whatever could NOT read .pem files.
They had to be .pfx or .cer
(I don't even know which one worked. I converted the .pem to both and called it done.)
2)
In /etc/openldap/ldap.conf you must:
Either set TLS_CACERT /etc/openldap/cacerts/YOURCERT.pfx
Or set TLS_CACERTDIR /etc/openldap/cacerts/
The first one constrains you to a specific cert.
The latter tries all of them in the directory.
3)
You have various options for TLS_REQCERT:
allow (use it if you need it)
require (must have a cert)
You'll have to read openldap docs for the rest.
I used allow, and it worked.
ymmv
4)
I did not change anything in the (very long) default /etc/ldap.conf file
5)
I did not change anything in the self-documenting /etc/autofs_ldap_auth.conf
Mainly because I just found it while typing this up, and I have no idea what it does. Presumably 'autofs' implies you can mount some LDAP server as a mount point or something at boot... Sounds funky to me, but knock yourself out playing with it.
This was all with various versions of PHP ranging from 5.2 to 5.3 No promises about other versions.
6)
ldapsearch -VV says it's 2.3.43
Dunno if that comes with openldap or I downloaded it separately. Long time ago. Very handy CLI tool for mucking around without PHP in the middle, so you can cross-check that it's PHP or not.
